The new version of critix netsclaer Server Load balancer provides the application firewall function. The official description is no different from the application firewall provided by other vendors and is a comprehensive defense. Let me test it.
Purpose: 1. application firewallSQL injection, XSS, and CRSF functional defense.
2. Enable the application firewall function, resulting in performance overhead.
Basic configuration process:
Enable application firewall:
Systems> Settings> Change basic features. Check Application Firewall.
Configure profiles:
Application Firewall> Profiles. One processing action must be configured.
By default, four profiles are available:
Appfw_block: Return to the specified page
Appfw_bypass: ignore-Allow request
Appfw_drop: discards the request and does not return any information.
Appfw_reset: resets the connection.
New policy:
Application Firewall> Policies must have one policy associated with profiles. The policy should be defined by yourself !!! No Default policy !!!
Application policy:
Application Firewall> Policies, select one policy, and click Global Bindings
Procedure:
1. Systems> Settings> Change basic features. Select Application Firewall.
2. Create: Application Firewall> Profiles> Add
Profile name: test Profile Type: Web Application (HTML)
3. Modify the new Profile configuration:
Because no block request is required for the test phase, you only need to record the hit log.
4. Create a Policy:
Application Firewall> Policies
About the Configuration Policy, netsclaer is too unfriendly. There is no instruction document and no template.
Here, I configure to capture POST and GET packets for all http requests.
5. Apply Policy
Application Firewall> Policies
Preliminary Test of Defense Capability
Find 1 XSS vulnerability page
Http: // ip/topic. php? Tid = 214607% 27and % 201 = 1 test SQL defense
Http: // ip/topic. php? Tid = 214607% 22% 3E % 3 CsCrIpT % 3 Ealert % 2868117% 29% 3C/sCrIpT % 3E test XSS defense
We can find that all the above simple probes are blocked. This is just a simple keyword capture. Because no data packet is block, the false positive rate does not need to be tested.
Performance overhead:
Test Tool AB:
Req concurrent CPU Mem management CPU
0 0 0.1% 26.87% 1%
1000 200 1%-2.5% 26.88% 0.7%
No policy applied'
1000 200 0.2% 26.88% 0.7%
Similar to: the main application's netsclaer 15000 connections, and the Configuration Policy's CPU performance overhead is too high. It is not recommended to enable this function.
Conclusion: netsclaer application firewall implements simple application firewall functions, which can defend against General initial detection, but has a high performance overhead. If it is used together with the application layer load balancing, it is not recommended to enable it.